in order to configure fail2ban for xrdp attacks, i need some help with regexp.
In /var/log/xrdp.log i can see :
[20201229-12:24:42] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:82.74.118.114 port 55267
So in jail.conf i add :
[rdp]
enabled = true
filter = rdp
action = iptables-multiport[name=rdp, port="3389,3390,3391", protocol=tcp]
logpath = /var/log/xrdp.log
maxretry = 5
And for the filter.d/rdp.conf i wrote :
[Definition]
failregex = connection received from ::ffff:<HOST> port
ignoreregex =
Obviously my regexp is bad...
Can someone help me ? Thx
Your failregex is redundant because <HOST> is an alias for the pattern (?:::f{4,6}:)?(?P<host>\S+), which includes the ::ffff: part. Also the date format in your log isn't supported by the default date templates of fail2ban, so you must set a custom date pattern.
[Definition]
failregex = connection received from <HOST>
ignoreregex =
datepattern = %%Y%%m%%d-%%H:%%M:%%S
As a rule of thumb you should always test your date patterns and regex with the fail2ban-regex tool.